we use openssl-1.0.2u for ci builds: https://github.com/haproxy/haproxy/runs/1743866222?check_suite_focus=true
not sure about 1.0.2 beta пт, 22 янв. 2021 г. в 02:19, Bertrand Jacquin <[email protected]>: > According to INSTALL file, OpenSSL 1.0.2 is still supported by HAProxy, > however OpenSSL 1.0.2 lacking CRYPTO_memcmp(), haproxy does not build: > > $ make V=1 TARGET=linux-glibc USE_NS= USE_OPENSSL=1 > .. > cc -Iinclude -O2 -g -Wall -Wextra -Wdeclaration-after-statement > -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter > -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits > -DUSE_EPOLL -DUSE_NETFILTER -DUSE_POLL -DUSE_THREAD > -DUSE_BACKTRACE -DUSE_TPROXY -DUSE_LINUX_TPROXY -DUSE_LINUX_SPLICE > -DUSE_LIBCRYPT -DUSE_CRYPT_H -DUSE_GETADDRINFO -DUSE_OPENSSL -DUSE_FUTEX > -DUSE_ACCEPT4 -DUSE_CPU_AFFINITY -DUSE_TFO -DUSE_DL -DUSE_RT > -DUSE_PRCTL -DUSE_THREAD_DUMP > -DCONFIG_HAPROXY_VERSION=\"2.4-dev5-37286a-78\" > -DCONFIG_HAPROXY_DATE=\"2021/01/21\" -c -o src/sample.o src/sample.c > src/sample.c: In function 'sample_conv_secure_memcmp': > src/sample.c:3130:2: warning: implicit declaration of function > 'CRYPTO_memcmp' > .. > cc -g -o haproxy src/ev_poll.o src/ev_epoll.o src/ssl_sample.o > src/ssl_sock.o src/ssl_crtlist.o src/ssl_ckch.o src/ssl_utils.o > src/cfgparse-ssl.o src/mux_h2.o src/mux_fcgi.o src/http_ana.o src/stream.o > src/mux_h1.o src/stats.o src/flt_spoe.o src/backend.o src/tcpcheck.o > src/server.o src/tools.o src/cli.o src/cfgparse.o src/log.o > src/cfgparse-listen.o src/check.o src/stick_table.o src/peers.o src/dns.o > src/stream_interface.o src/sample.o src/http_htx.o src/haproxy.o > src/http_act.o src/proxy.o src/pattern.o src/listener.o src/cache.o > src/http_fetch.o src/session.o src/connection.o src/sink.o src/task.o > src/filters.o src/fcgi-app.o src/tcp_rules.o src/payload.o src/mux_pt.o > src/flt_http_comp.o src/cfgparse-global.o src/vars.o src/map.o src/debug.o > src/queue.o src/h1_htx.o src/compression.o src/mworker.o src/flt_trace.o > src/acl.o src/trace.o src/proto_sockpair.o src/proto_tcp.o src/lb_chash.o > src/htx.o src/xprt_handshake.o src/h1.o src/sock.o src/ring.o > src/extcheck.o src/tcp_sample.o src/frontend.o src/h2.o src/channel.o > src/applet.o src/tcp_act.o src/http_rules.o src/fd.o src/raw_sock.o > src/pool.o src/mailers.o src/http_conv.o src/lb_fwrr.o src/proto_uxst.o > src/http.o src/lb_fwlc.o src/lb_fas.o src/activity.o src/sock_unix.o > src/protocol.o src/mworker-prog.o src/signal.o src/proto_udp.o src/lb_map.o > src/sock_inet.o src/ev_select.o src/cfgparse-tcp.o src/action.o > src/thread.o src/sha1.o src/ebmbtree.o src/cfgparse-unix.o src/dict.o > src/time.o src/hpack-dec.o src/arg.o src/hpack-tbl.o src/eb64tree.o > src/chunk.o src/shctx.o src/regex.o src/fcgi.o src/eb32tree.o > src/eb32sctree.o src/dynbuf.o src/pipe.o src/lru.o src/ebimtree.o > src/uri_auth.o src/freq_ctr.o src/ebsttree.o src/ebistree.o src/auth.o > src/wdt.o src/http_acl.o src/hpack-enc.o src/hpack-huff.o src/ebtree.o > src/base64.o src/hash.o src/dgram.o src/version.o src/fix.o src/mqtt.o > -lcrypt -ldl -lrt -lpthread -Wl,--export-dynamic -lssl -lcrypto -ldl > src/sample.o: In function `sample_conv_secure_memcmp': > src/sample.c:3130: undefined reference to `CRYPTO_memcmp' > collect2: ld returned 1 exit status > make: *** [haproxy] Error 1 > > See: > https://git.openssl.org/?p=openssl.git;a=commitdiff;h=f5cd3561ba9363e6bcc58fcb6b1e94930f81967d > > $ git describe --contains f5cd3561ba9363e6bcc58fcb6b1e94930f81967d > OpenSSL_1_0_2-beta1~439 > > Since secure_memcmp is meant to be used in constant time sensible > environment, this commit removes the converter when the version of > OpenSSL does not meant the requirement. Adjusting related documentation, > pointing the user to strcmp instead. > > Cc: Emeric Brun <[email protected]> > Cc: William Lallemand <[email protected]> > --- > doc/configuration.txt | 6 +++++- > src/sample.c | 12 +++++++----- > 2 files changed, 12 insertions(+), 6 deletions(-) > > diff --git a/doc/configuration.txt b/doc/configuration.txt > index 899bdf553a85..f25da9c1bfa6 100644 > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -15996,7 +15996,11 @@ secure_memcmp(<var>) > performed in constant time. > > Please note that this converter is only available when haproxy has been > - compiled with USE_OPENSSL. > + compiled with USE_OPENSSL. Requires at least OpenSSL 1.0.2. > + > + See also the strcmp converter if you need to compare two binary > + strings without concern related to constant time or if OpenSSL is not > + enabled. > > Example : > > diff --git a/src/sample.c b/src/sample.c > index bf2de2a2522d..bb12789b551f 100644 > --- a/src/sample.c > +++ b/src/sample.c > @@ -3100,12 +3100,14 @@ static int sample_conv_strcmp(const struct arg > *arg_p, struct sample *smp, void > return 1; > } > > -#ifdef USE_OPENSSL > +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL > /* Compares bytestring with a variable containing a bytestring. Return > value > * is `true` if both bytestrings are bytewise identical and `false` > otherwise. > * > - * Comparison will be performed in constant time if both bytestrings are > of > - * the same length. If the lengths differ execution time will not be > constant. > + * Comparison will be performed in constant time if the library support > + * constant time memcmp (starting with OpenSSL 1.0.2) and if both > + * bytestrings are of the same length. Otherwise execution time will not > + * be constant. > */ > static int sample_conv_secure_memcmp(const struct arg *arg_p, struct > sample *smp, void *private) > { > @@ -3422,7 +3424,7 @@ static int smp_check_strcmp(struct arg *args, struct > sample_conv *conv, > return 0; > } > > -#ifdef USE_OPENSSL > +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL > /* This function checks the "secure_memcmp" converter's arguments and > extracts the > * variable name and its scope. > */ > @@ -3988,7 +3990,7 @@ static struct sample_conv_kw_list sample_conv_kws = > {ILH, { > #endif > { "concat", sample_conv_concat, ARG3(1,STR,STR,STR), > smp_check_concat, SMP_T_STR, SMP_T_STR }, > { "strcmp", sample_conv_strcmp, ARG1(1,STR), smp_check_strcmp, > SMP_T_STR, SMP_T_SINT }, > -#ifdef USE_OPENSSL > +#if defined(USE_OPENSSL) && HA_OPENSSL_VERSION_NUMBER > 0x1000200fL > { "secure_memcmp", sample_conv_secure_memcmp, ARG1(1,STR), > smp_check_secure_memcmp, SMP_T_BIN, SMP_T_BOOL }, > #endif > > >
